Sandboxing with Sysmon

My Sysmon use case was mostly about analyzing malware activity in a sandbox, where in the past, I had to orchestrate few utilities to collect process and network activity logs from various sources. The issue with this approach is that sometimes the focus tends to shift towards organizing collected data more than analyzing it.

In the last update to Sysmon View, I added two more features:

Visualization of Process creation hierarchy.

Ability to import network packet capture for correlation with the Sysmon Network event

The second feature helps in advancing analysis, for example, looking up packet payload, tracing the entire session conversation or even analyzing non-standard port use (MITRE T1065).

Importing a network capture file

To do this, we need an exported XML Sysmon log (check GitHub on how to import logs to Sysmon View) and a matching (captured within the same time frame) packet trace file (PCAP or PCAPNG file). Once Sysmon logs are imported, you can add/import the network trace file as shown here

Tshark is needed for all of this to work, it is used to convert the PCAP/PCAPNG files to JSON for parsing; it is also used to extract (filter) packets later. Tshark is part of Wireshark installation, and its path must be set in Sysmon View preferences as shown here (Wireshark is also needed to view extracted packets)

Once packet capture file is imported, Sysmon View will correlate any Sysmon network event with a matching network conversation (packets), the event’s “details” box will display a link to indicate that a matching network capture exist for a specific event

Clicking this link will run Wireshark with a temporary generated file (in the form of Capture_Year_Month_Day_Hour_Minute_Second.pcapng) with a Wireshark filter matching network event source, destination (IP and Port) and transport (TCP or UDP)

To be able to test this feature, a time-matching logs needs to be generated, to help make this task more productive, I created a small command line utility, “Sysmon Box”…

Sysmon Box

While testing Sysmon View I spent a good deal of time and effort trying to generate logs from both, Sysmon and Wireshark, so, to save yours, I created a small command line utility, “Sysmon Box” to help in automating this process, here is a description of what the tool will do when running the following command (Sysmon needs to be readily installed):

SysmonBox -in Wi-Fi

Start capturing traffic (using tshark in the background, this is why specifying the capture interface using the -in option is mandatory to be passed to tshark)

Generate Sysmon and traffic logs, when done, hit CTRL + C to end the session

Sysmon Box will stop traffic capture, dump all captured packets to a file and then export Sysmon events logged between the start and end time of the session using EVT utility

Build a Sysmon View database file (backup existing database, if any) with imported data, all you have to do is to run Sysmon View from the same folder or copy the database file (SysmonViewDB) in the same folder as Sysmon View (keep the captured packets files in the same location, they will be referenced by Sysmon View)

With Sysmon Box you have a mini (tiny) box running for analyzing behavior at process and network levels.

Sysmon View Database

If you use Sysmon Box or Sysmon View to import data, you can then skip using Sysmon View GUI and use the database directly for analysis, the database is an SQLite database, you can use any free database client tool to read the data, for example, to list all hashes, you can run the following SQL statement

SELECT * FROM AllHashes

Here is the output

Similarly, you can extract other information, such as registry keys, DNS queries or do a full-text search in addition to building more complex queries to identify malware behavior; the data model allows for correlating more data, beyond what Sysmon is logging (e.g. geo-mapping, VirusTotal ratings, network traffic, etc.). Additionally, this database file can be shared (safely) with others as a full “running session.”